nginx configuration enforcing rate limit based on a value in request body to implement a rate limit for Flarum's forgot password API based on email instead of only based on source IP of the request:
github.com/GrapheneOS/dis
Could move some directives to http {} to reuse more.
Conversation
nginx's limit_req runs very early in the request and $request_body only exists much later. That variable also only exists if you use a reverse proxy via proxy_pass, fastcgi_pass, etc. Have to get the value out of request body with map, add as a header and reverse proxy to itself.
Replying to
Since it's a header, it can implement a rate limit with the email as the key for the rate limit zone once it proxies it to itself. Flarum treats the email value as an exact string so it can't be bypassed by adding whitespace, etc. Only problem is that 1r/m is the lowest rate.
1
2
For some reason nginx doesn't parse h and d for limit_req even though it supports them elsewhere. That's a bit annoying since I would have wanted to make it 1r/h or lower. There's a patch for adding support but I'd rather not have to use a patch. Kinda the point of doing this.
2